Introduction

On May 7, 2025, the Utah Artificial Intelligence Policy Act (UAIP) amendments will go into effect. These  amendments provide significant updates to Utah’s 2024 artificial intelligence (AI) laws. In particular, the amendments focus on  regulation of AI in the realm of consumer protection (S.B. 226 and S.B. 332), mental health applications (H.B. 452), and unauthorized impersonations (aka “deep fakes”) (S.B. 271). 

Background (SB 149)

In March 2024, Utah became one of the first states to enact comprehensive artificial intelligence legislation with the passage of the Utah Artificial Intelligence Policy Act (UAIP, S.B. 149)  specifically addressing AI. Commonly referred to as the “Utah AI Act,” these provisions create important obligations for businesses that use AI systems to interact with Utah consumers. The UAIP Act went into effect as of May 1, 2024.

If your business provides or uses AI-powered software or services that Utah residents access, you need to understand these requirements — even if your company isn’t based in Utah. This post will help break down these key amendments and what they mean for your business operations.

GenAI Defined

The Utah Act defines generative AI (GenAI) as a system that is (a) trained on data, (b) interacts with a person in Utah, and (c) generates outputs similar to outputs created by a human. (SB 149, 13-2-12(1)(a)). 

Transparency and Disclosure Requirements

If a company provides services in a regulated occupation (that is, those occupations that require a person to obtain a state certification or license to practice that occupation), the company shall disclose when the person is interacting with GenAI in the delivery of regulated services if the interaction is defined as “high risk” by the statute. The disclosure regarding regulated services shall be provided at the beginning of the interaction and disclosed orally if during a verbal interaction or in writing if via a written interaction. If the GenAI supplier wants the benefit of the Safe Harbor, then use of the AI system shall be disclosed at the beginning of any interaction and throughout the exchange of information.  (S.B. 226).

If a company uses GenAI to interact with a person in Utah in “non-regulated” occupations, the company must disclose that the person is interacting with a GenAI system and not a human when asked by the Utah consumer. 

S.B. 226 further added mandatory requirements for high-risk interactions related to health, financial, and biometric data, or providing personalized advice in areas like finance, law, or healthcare. Additionally, S.B. 226 granted authority to the Division of Consumer Protection to make rules to specify the form and methods of the required disclosures.

Enforcement and Penalties

The Utah Division of Consumer Protection may impose an administrative fine of up to $2,500 for each violation of the UAIP. The courts or the Utah attorney general may also impose a civil penalty of no more than $5,000 for each violation of a court order or administrative order. As made clear by S.B. 226, violations of the Act are subject to injunctive relief, disgorgement of profits, and subject to paying the Division’s attorney fees and costs. 

Key Takeaways

The 2024 Act requires that companies clearly and conspicuously disclose when a person is interacting with GenAI if asked or requested by the person interacting with the AI system. The restrictions are even tighter when using GenAI in a regulated occupation that involve sensitive personal information or significant personal decision in the high-risk categories as amended in 2025 under S.B. 226. In those instances, the company shall disclose the use of GenAI. If the supplier wants the benefit of the 2025 Safe Harbor under S.B. 226, the AI system shall disclose its use at the beginning of an interaction and throughout the interaction.   

Conclusion

Utah, along with several other states, took the lead to enact AI-related laws. It is likely that states will continue to regulate AI technology ahead of the federal government.

Stay tuned for subsequent blog posts that will provide updates on mental health applications (H.B. 452) and unauthorized impersonations (aka “deep fakes”) (S.B. 271).

Tags: AI
Photo of A.J. Bahou A.J. Bahou

A.J. Bahou is Bradley’s Artificial Intelligence (AI) practice leader and an intellectual property attorney who focuses on the intersection of law and technology. A registered patent attorney, trial lawyer, mediator and arbitrator, he has extensive experience in the areas of electrical and computer…

A.J. Bahou is Bradley’s Artificial Intelligence (AI) practice leader and an intellectual property attorney who focuses on the intersection of law and technology. A registered patent attorney, trial lawyer, mediator and arbitrator, he has extensive experience in the areas of electrical and computer engineering technologies, including artificial intelligence, virtual reality, medical devices, computer hardware, blockchain, software, and internet security systems. With 20 years of patent litigation experience, A.J. handles the full spectrum of intellectual property litigation, from pre-complaint investigation through trial and appeal in matters involving patents, copyrights, trademarks, trade secrets, and commercial disputes.

Read more about A.J. BahouEmailA.J.'s Linkedin Profile
Show more Show less
Photo of Erin Jane Illman Erin Jane Illman

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly…

Erin Illman is a dynamic problem solver with a strong understanding of U.S. and international private-sector privacy laws and regulations and the legal requirements for the transfer of sensitive personal data to/from the United States, the European Union and other jurisdictions. She regularly advises clients on CCPA, GLBA, HIPAA, COPPA, CAN-SPAM, FCRA, security breach notification laws, and other U.S. state and federal privacy and data security requirements, and global data protection laws. In addition to providing proactive privacy and information security compliance and legal advice, Erin manages privacy-related enforcement actions and litigation. Her practice includes representing companies in reactive incident response situations, including insider cybersecurity threats, electronic and physical theft of trade secrets, and investigation, analysis, and notification efforts with respect to security incidents and breaches.

Read more about Erin Jane IllmanEmailErin Jane's Linkedin Profile
Show more Show less